Analysis
-
max time kernel
93s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
11-05-2024 08:49
Static task
static1
Behavioral task
behavioral1
Sample
MuMuInstaller_3.1.6.0_yx-gl-codex_all_1709777287.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
MuMuInstaller_3.1.6.0_yx-gl-codex_all_1709777287.exe
Resource
win10v2004-20240508-en
General
-
Target
MuMuInstaller_3.1.6.0_yx-gl-codex_all_1709777287.exe
-
Size
5.3MB
-
MD5
86e0f88dcc69e631df6cfd28bb5babb1
-
SHA1
e7b3552cf10983c97bf3381fe66053f8f5a1ea9c
-
SHA256
baa175b6fa6ee27992d80995f9eae285f3a3eceb35b655c0c5a5f58b7ac748dc
-
SHA512
c2e0b76ea267cbe01019cd826c90ffcf84e88da1f16c83ae36cebe543cf75316b5a375a3f053165d4e8fe0b6d65a70558cb08693473d5710dc9de4a44fef7843
-
SSDEEP
98304:cevOCyjertpQj68ndGaX6tJJQv2FKA75OpVclc02vDRZTEW:pvOCyj2tpYo3u0jc02vVZoW
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
nemu-downloader.exedescription ioc process File opened (read-only) \??\F: nemu-downloader.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
nemu-downloader.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation nemu-downloader.exe -
Executes dropped EXE 5 IoCs
Processes:
nemu-downloader.exeColaBoxChecker.exeHyperVChecker.exeHyperVChecker.exeHyperVChecker.exepid process 4656 nemu-downloader.exe 4808 ColaBoxChecker.exe 4908 HyperVChecker.exe 2140 HyperVChecker.exe 4404 HyperVChecker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
nemu-downloader.exepid process 4656 nemu-downloader.exe 4656 nemu-downloader.exe 4656 nemu-downloader.exe 4656 nemu-downloader.exe -
Suspicious behavior: LoadsDriver 4 IoCs
Processes:
pid process 660 660 660 660 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
MuMuInstaller_3.1.6.0_yx-gl-codex_all_1709777287.exenemu-downloader.exedescription pid process target process PID 1852 wrote to memory of 4656 1852 MuMuInstaller_3.1.6.0_yx-gl-codex_all_1709777287.exe nemu-downloader.exe PID 1852 wrote to memory of 4656 1852 MuMuInstaller_3.1.6.0_yx-gl-codex_all_1709777287.exe nemu-downloader.exe PID 1852 wrote to memory of 4656 1852 MuMuInstaller_3.1.6.0_yx-gl-codex_all_1709777287.exe nemu-downloader.exe PID 4656 wrote to memory of 4808 4656 nemu-downloader.exe ColaBoxChecker.exe PID 4656 wrote to memory of 4808 4656 nemu-downloader.exe ColaBoxChecker.exe PID 4656 wrote to memory of 4808 4656 nemu-downloader.exe ColaBoxChecker.exe PID 4656 wrote to memory of 4908 4656 nemu-downloader.exe HyperVChecker.exe PID 4656 wrote to memory of 4908 4656 nemu-downloader.exe HyperVChecker.exe PID 4656 wrote to memory of 2140 4656 nemu-downloader.exe HyperVChecker.exe PID 4656 wrote to memory of 2140 4656 nemu-downloader.exe HyperVChecker.exe PID 4656 wrote to memory of 4404 4656 nemu-downloader.exe HyperVChecker.exe PID 4656 wrote to memory of 4404 4656 nemu-downloader.exe HyperVChecker.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MuMuInstaller_3.1.6.0_yx-gl-codex_all_1709777287.exe"C:\Users\Admin\AppData\Local\Temp\MuMuInstaller_3.1.6.0_yx-gl-codex_all_1709777287.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Users\Admin\AppData\Local\Temp\7z778E073C\nemu-downloader.exeC:\Users\Admin\AppData\Local\Temp\7z778E073C\nemu-downloader.exe2⤵
- Enumerates connected drives
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Users\Admin\AppData\Local\Temp\7z778E073C\ColaBoxChecker.exe"C:\Users\Admin\AppData\Local\Temp\7z778E073C\ColaBoxChecker.exe" checker /baseboard3⤵
- Executes dropped EXE
PID:4808 -
C:\Users\Admin\AppData\Local\Temp\7z778E073C\HyperVChecker.exe"C:\Users\Admin\AppData\Local\Temp\7z778E073C\HyperVChecker.exe"3⤵
- Executes dropped EXE
PID:4908 -
C:\Users\Admin\AppData\Local\Temp\7z778E073C\HyperVChecker.exe"C:\Users\Admin\AppData\Local\Temp\7z778E073C\HyperVChecker.exe"3⤵
- Executes dropped EXE
PID:2140 -
C:\Users\Admin\AppData\Local\Temp\7z778E073C\HyperVChecker.exe"C:\Users\Admin\AppData\Local\Temp\7z778E073C\HyperVChecker.exe"3⤵
- Executes dropped EXE
PID:4404
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7z778E073C\ColaBoxChecker.exeFilesize
4.0MB
MD5839708e3f96cf055436fa08d6205263c
SHA1a4579f8cb6b80fe3fd50099794f63eb51be3292f
SHA2561373c5d006a5dbcd9b86cfff9a37616f1245d1333c4adcefc7cd18926b98d752
SHA512ece67e031e06a0442d935e7d81d0eed57ae92b348b5d104423577478ce226e4a4bde834c54e31d33bfe6f574fb7798ba96886d9e8edb738edee6e7c9c43054cd
-
C:\Users\Admin\AppData\Local\Temp\7z778E073C\HyperVChecker.exeFilesize
117KB
MD5dbd84c6083e4badf4741d95ba3c9b5f8
SHA14a555adf8e0459bfd1145d9bd8d91b3fff94aad0
SHA2569ff467bc5a1c377102d25da9fa9c24dcc4375f456510f71584f0714fdfb2af39
SHA512fb5fe74f64254609e07d6642acf904562bb905cd7c14c6f85ba31bcdbaf06686c0586609ec4f5d2f8f55ff90334dcbb774a3a6e78df74bf1b1d0cd03dec21870
-
C:\Users\Admin\AppData\Local\Temp\7z778E073C\baseboardMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Temp\7z778E073C\baseboardFilesize
114B
MD50bd26f192ec3bd1baf1118cc910fdb00
SHA110ebaace7c11d8df12db5df7694aaa3270744741
SHA25612d48e8f7f2df595f186b1fc49459743a4d5ff0b1669691f5488a74f487d5014
SHA51281490a0baaef475972cdc5f7250193cc99f472d3cc149e4412066cc43cd14c5d82c3a87e5bffb23da8465032b8e22cf50374e13b0d710f148dbfe4237c9f8c18
-
C:\Users\Admin\AppData\Local\Temp\7z778E073C\config.iniFilesize
342B
MD5048404eeb7f19ff7aea3e0e282b2668f
SHA14ee3a5f86c9cc6a0f2fd597e41264249d49d7e30
SHA256536276708fd9e141dc5036a7feb791a2467c667bb16d7ce90bf2917a68a772a2
SHA5126fe975bfc6994edb1fddab0fa635a6d34d5624836fa7f77f6029c13ff633ee0af49fe513f1bb24d7c3cc90e83fcba837d82c8e593ca6e68e8101d4f44cf43b2c
-
C:\Users\Admin\AppData\Local\Temp\7z778E073C\nemu-downloader.exeFilesize
3.2MB
MD5b311535e3673c225b4095f77ca7ea4f5
SHA14206e1cbe58428fdbc9b319b8919373646807583
SHA2567662f1e4e1b4a52cce2fb8c57ffdd4ec8654f3bd1a830814845e75fdcd3f1735
SHA51257d9d6e592a6cdc3a8ffd514ad21729de15fcdd8b4fd321ce013c9541e08ad6cf3a11bf1479464b5b0fff771552c19ccad2720239779fcd25290c436a287b6c2
-
C:\Users\Admin\AppData\Local\Temp\7z778E073C\skin.zipFilesize
509KB
MD5d59a09fb475ed8cd967e1a5366d7884d
SHA18636b3f7d18482ce940607af9d0e51232d8491d4
SHA25645a97dba97f3613ec8f357d9a36fe336c2795ead0f32081856b9b2dad4620ce1
SHA51239a667a970f66ba6c28351a038c23bb4f4427e1b584a2cabf962711c64ad7540f09a00b2771c01c965d59f69b5b707e9659349aaf68b6f675695e9e83cf40e58